It's something that drives telemarketers and pollsters crazy, as
there are millions of people, especially young ones, who don't
have any landlines and can't easily be reached by strangers.

But it turns out Facebook
has been openly listing mobile numbers all along, as Indian
security researcher Suriya Prakash discovered recently.

Needless to say, he wasn't happy about it.

"I would consider my most 'personal' data saved on Facebook to be
my mobile number as it is somewhat of a bridge interlinking both
my personal and online life," Prakash explained in a blog posting this past Thursday. "I
would not like people I don't want getting a hold of it."

Prakash had earlier told Facebook about his discovery, but the
company told him there were no security issues involved as the
rate of queries from a particular source would be limited as a
guard against automated attacks.

Prakash found that that was true for the desktop version of
Facebook, but not the mobile one.

Then substitute a Facebook friend's mobile number for the number
string and hit "Enter." (Be sure to include the country code
prefix — "1" for the U.S. and Canada, "44" for Britain, "33"
France and so on.)

If your Facebook friend has listed his mobile number on Facebook,
or if he's got a
Facebook app on his smartphone, it'll show right up. In
many cases, it works for "friends of friends" and for total
strangers.

Why? As Prakash found, the default Facebook privacy setting for
"Who can look you up using the email address or phone number you
provided?" is "Everyone."

(To see it yourself, click on the downward facing arrow next to
the "Home" button in the upper-right corner of your Facebook
page, then click "Edit Settings" next to "How You Connect.")

Contacted by TechNewsDaily, a Facebook representative said this
was a feature, not a flaw.

"The ability to search for a person by phone number is
intentional behavior and not a bug in Facebook," the
representative wrote in an email.

"By default, your privacy settings allow everyone to find you
with search and friend finder using the contact info you have
provided, such as your email address and phone number. You can
modify these settings at any time from the Privacy Settings page.

"Facebook has developed an extensive system for preventing the
malicious usage of our search functionality and the scenario
described by the researcher was indeed rate-limited and
eventually blocked. We are constantly updating these systems to
improve their effectiveness and address new kinds of attacks."

Until yesterday (Oct. 8), a savvy telemarketer could have created
a computer script generating possible mobile-phone numbers, then
harvested whatever real names were matched to them through
Facebook.

To prove it, Prakash did exactly that, running through thousands
of possible mobile numbers in India and in New York City. (Unlike
the rest of North America, New York an area code dedicated to
mobile numbers.)

You can see a small subset — 850 names — of Prakash's results
here. If you've got a New York mobile
number in the format (917) 5x2-xxxx, you may even be on it.

With a
botnet of 100,000 hijacked computers, Prakash estimated, the
entire Facebook mobile-phone-listing database could have been
harvested in a few days.

Facebook tweaked its settings to limit the number of responses it
would give to a specific IP address. But the method still works
manually.

TechNewsDaily was able to find the mobile numbers of four
strangers, all of whom had presumably not tweaked their default
privacy settings, by slowly running through a list of 20 possible
New York numbers.

Stumbling into it

Prakash discovered this Facebook feature after he noticed that
his smartphone Facebook app suggested adding friends from his
phone's contact list, based on his contacts' mobile-phone
numbers.

In fact, he could see his contacts' profile photos and link to
their Facebook profiles, even without having "friended" them on
Facebook.

"What it does is that it compares the contact list from your
phone to the FB database to see if you have any friends that are
in your contacts but not on your Facebook account," he wrote. "I
also later figured out that simply 'searching' a person's phone
number (including country code) will show you their account."